Open ben-grande opened 3 months ago
Can you ping sys-net from sys-firewall?
Can you ping sys-net from sys-firewall?
I can ping sys-net from sys-firewall successfully before and after doing the changes.
To be clear ping6 both ways?
Can you ping6 router by IPv6 address from both ?
To be clear ping6 both ways?
From sys-firewall to sys-net using the value of eth0 inet6 address (got from sys-firewall), ping -6
works before and after disabling IPv4.
ping6 2001:4860:4860::8888 from both?
I ask because I have working 6 Did you remember to set nameserver?
example.com provides ip4 and ip6 hosts for testing. Quad9 is 2620:fe::fe
traceroute6 may show you the issue
ping6 2001:4860:4860::8888 from both?
Works from both sys-net and sys-firewall before and after disabling IPv4.
I ask because I have working 6 Did you remember to set nameserver?
On sys-net, with IPv4 and IPv6 enabled, the Network Manager sets /etc/resolv.conf
nameservers to the IPv4 address and IPv6 address of the router.
I did not set nameserver manully on sys-net or sys-firewall. After disabling IPv4, only the IPv6 nameserver remains on sys-net /etc/resolv.conf.
I am not sure to which extent does Qubes IPv6 DNS limitations to IPv6-only networks applies.
example.com provides ip4 and ip6 hosts for testing. Quad9 is 2620:fe::fe traceroute6 may show you the issue
From sys-firewall, pinging example.com
with -4
and -6
works before disabling IPv4. After disabling, DNS is not resolved and I can ping only by IPv6 address, such as ping6 2001:4860:4860::8888
.
I did not understand how to use traceroute in this case, therefore I used tcpdump.
sys-net monitoring downstream (sys-firewall) calling ping -c1 example.com
(works):
IP 10.138.5.10.46244 > 10.139.1.1.domain: 54727+ A? example.com. (29)
IP 10.138.5.10.46244 > 10.139.1.1.domain: 28354+ AAAA? example.com. (29)
IP 10.139.1.1.domain > 10.138.5.10.46244: 54727 1/0/0 A 93.184.215.14 (45)
IP 10.139.1.1.domain > 10.138.5.10.46244: 28354 1/0/0 AAAA 2606:2800:21f:cb07:6820:80da:af6b:8b2c (57)
IP 10.138.5.10 > 93.184.215.14: ICMP echo request, id 60127, seq 1, length 64
IP 93.184.215.14 > 10.138.5.10: ICMP echo reply, id 60127, seq 1, length 64
IP 10.138.5.10.40387 > 10.139.1.1.domain: 55144+ PTR? 14.215.184.93.in-addr.arpa. (44)
IP 10.139.1.1.domain > 10.138.5.10.40387: 55144 NXDomain 0/0/0 (44)
sys-net monitoring downstream (sys-firewall) calling ping6 -c1 example.com
(works):
IP 10.138.5.10.57357 > 10.139.1.1.domain: 15543+ A? example.com. (29)
IP 10.138.5.10.57357 > 10.139.1.1.domain: 29361+ AAAA? example.com. (29)
IP 10.139.1.1.domain > 10.138.5.10.57357: 15543 1/0/0 A 93.184.215.14 (45)
IP 10.139.1.1.domain > 10.138.5.10.57357: 29361 1/0/0 AAAA 2606:2800:21f:cb07:6820:80da:af6b:8b2c (57)
IP 10.138.5.10.55898 > 10.139.1.1.domain: 46406+ PTR? c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa. (90)
IP 10.139.1.1.domain > 10.138.5.10.55898: 46406 NXDomain 0/0/0 (90)
IP6 fd09:24ef:4179::a8a:500 > 2606:2800:21f:cb07:6820:80da:af6b:8b2c: ICMP6, echo request, id 4095, seq 1, length 64
IP6 2606:2800:21f:cb07:6820:80da:af6b:8b2c > fd09:24ef:4179::a8a:500: ICMP6, echo reply, id 4095, seq 1, length 64
IP 10.138.5.10.45985 > 10.139.1.1.domain: 38159+ PTR? c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa. (90)
IP 10.139.1.1.domain > 10.138.5.10.45985: 38159 NXDomain 0/0/0 (90)
sys-net monitoring downstream (sys-firewall) calling ping -c1 example.com
(fails expected?):
IP 10.138.5.10.47235 > 10.139.1.1.domain: 6731+ A? example.com. (29)
IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
IP 10.138.5.10.47235 > 10.139.1.1.domain: 20556+ AAAA? example.com. (29)
IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
IP 10.138.5.10.45426 > 10.139.1.2.domain: 6731+ A? example.com. (29)
IP 10.138.5.10.45426 > 10.139.1.2.domain: 20556+ AAAA? example.com. (29)
sys-net monitoring downstream (sys-firewall) calling ping6 -c1 example.com
(fails unexpected):
IP 10.138.5.10.43045 > 10.139.1.1.domain: 61814+ A? example.com. (29)
IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
IP 10.138.5.10.43045 > 10.139.1.1.domain: 27405+ AAAA? example.com. (29)
IP 10.138.27.114 > 10.138.5.10: ICMP net 10.139.1.1 unreachable, length 65
IP 10.138.5.10.35613 > 10.139.1.2.domain: 61814+ A? example.com. (29)
IP 10.138.5.10.35613 > 10.139.1.2.domain: 27405+ AAAA? example.com. (29)
sys-net monitoring downstream (sys-firewall) calling ping6 -c1 2606:2800:21f:cb07:6820:80da:af6b:8b2c
(works):
IP6 fd09:24ef:4179::a8a:500 > 2606:2800:21f:cb07:6820:80da:af6b:8b2c: ICMP6, echo request, id 28242, seq 1, length 64
IP6 2606:2800:21f:cb07:6820:80da:af6b:8b2c > fd09:24ef:4179::a8a:500: ICMP6, echo reply, id 28242, seq 1, length 64
Ok, I used traceroute now.
Before disabling IPv4, traceoute6 example.com
is fast on sys-net
and sys-firewall
.
After disabling IPv4, traceoute6 example.com
is fast on sys-net
and very slow (2+ minutes) on sys-firewall
.
Following quotes are from IPv6 limitations in Qubes.
Currently only IPv4 DNS servers are configured, regardless of ipv6 feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not.
That is good.
Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability.
Not good, does this issue fall into Qubes IPv6 DNS code stalled?
But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.
How to file a helpful issue
Qubes OS release
R4.2
Brief summary
I have a router with IPv4 and IPv6 addresses. Network manager enables both to be used.
I followed the steps to enable IPv6, also restarted all netvms in the same chain. I configured on the Network Manager to use only the IPv6 connection and disable IPv4.
Only sys-net has network and every qube below it does not have network, no dns, no IPv4, no IPv6.
Steps to reproduce
Test on sys-net and sys-firewall:
sys-net:
sys-firewall:
sys-firewall test ipv4:
sys-firewall test ipv6 DNS
Trying [2600:9000:275f:a800:18:3c03:3680:93a1]:443...
Immediate connect fail for 2600:9000:275f:a800:18:3c03:3680:93a1: Network is unreachable
Failed to connect to v6.ipv6test.app port 443 after 3220 ms: Couldn't connect to server
Closing connection 0 curl: (7) Failed to connect to v6.ipv6test.app port 443 after 3220 ms: Couldn't connect to server
$ curl 1.1.1.1
301 Moved Permanently
Retry the the connection:
sys-net:
sys-firewall:
Expected behavior
Network functional.
Actual behavior
No network, no DNS, no IPv4, no IPv6.